From owner-freebsd-pf@FreeBSD.ORG  Fri Sep 29 07:32:23 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9EA8D16A412
	for <freebsd-pf@freebsd.org>; Fri, 29 Sep 2006 07:32:23 +0000 (UTC)
	(envelope-from Greg.Hennessy@nviz.net)
Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.149.33.74])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 38F9643D4C
	for <freebsd-pf@freebsd.org>; Fri, 29 Sep 2006 07:32:23 +0000 (GMT)
	(envelope-from Greg.Hennessy@nviz.net)
Received: from gw2.local.net (unknown [62.3.210.251])
	by smtp.nildram.co.uk (Postfix) with ESMTP id 273EA102C5CC
	for <freebsd-pf@freebsd.org>; Fri, 29 Sep 2006 08:32:20 +0100 (BST)
From: "Greg Hennessy" <Greg.Hennessy@nviz.net>
Cc: <freebsd-pf@freebsd.org>
Date: Fri, 29 Sep 2006 08:31:57 +0100
Keywords: freebsd-pf
Message-ID: <000c01c6e399$58043510$0a00a8c0@thebeast>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
In-Reply-To: <fee88ee40609281617x79d956d0vce726c6f4b45e087@mail.gmail.com>
thread-index: AcbjVmi09CfAWeaAQwqwIh4w+pg2AgAQl26w
X-OriginalArrivalTime: 29 Sep 2006 07:31:57.0281 (UTC)
	FILETIME=[58043510:01C6E399]
Subject: RE: BAD state/State failure with large number of requests
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Sep 2006 07:32:23 -0000

 

> The part that confused me was that the connections failed 
> immediately -- it turns out that PF sends a RST upon state 
> mismatch during the intial handshake, as opposed to dropping 
> the packets and letting the connection time out.


As a matter of policy, I would never black hole internally sourced traffic
traversing packet filtering infrastructure under my control. 

There are few things worse from a management/debugging perspective than to
have packets disappear into the wild blue yonder with no indication of why. 



Greg